flwr-nightly 1.23.0.dev20250930__py3-none-any.whl → 1.26.0.dev20260121__py3-none-any.whl

flwr/superlink/auth_plugin/noop_auth_plugin.py

@@ -0,0 +1,84 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Concrete NoOp implementation for Servicer-side account authentication and
+authorization plugins."""
+
+
+from collections.abc import Sequence
+from pathlib import Path
+
+from flwr.common.constant import NOOP_ACCOUNT_NAME, NOOP_FLWR_AID, AuthnType
+from flwr.common.typing import (
+    AccountAuthCredentials,
+    AccountAuthLoginDetails,
+    AccountInfo,
+)
+
+from .auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
+
+NOOP_ACCOUNT_INFO = AccountInfo(
+    flwr_aid=NOOP_FLWR_AID,
+    account_name=NOOP_ACCOUNT_NAME,
+)
+
+
+class NoOpControlAuthnPlugin(ControlAuthnPlugin):
+    """No-operation implementation of ControlAuthnPlugin."""
+
+    def __init__(
+        self,
+        account_auth_config_path: Path,
+        verify_tls_cert: bool,
+    ):
+        pass
+
+    def get_login_details(self) -> AccountAuthLoginDetails | None:
+        """Get the login details."""
+        # This allows the `flwr login` command to load the NoOp plugin accordingly,
+        # which then raises a LoginError when attempting to login.
+        return AccountAuthLoginDetails(
+            authn_type=AuthnType.NOOP,  # No operation authn type
+            device_code="",
+            verification_uri_complete="",
+            expires_in=0,
+            interval=0,
+        )
+
+    def validate_tokens_in_metadata(
+        self, metadata: Sequence[tuple[str, str | bytes]]
+    ) -> tuple[bool, AccountInfo | None]:
+        """Return valid for no-op plugin."""
+        return True, NOOP_ACCOUNT_INFO
+
+    def get_auth_tokens(self, device_code: str) -> AccountAuthCredentials | None:
+        """Get authentication tokens."""
+        raise RuntimeError("NoOp plugin does not support getting auth tokens.")
+
+    def refresh_tokens(
+        self, metadata: Sequence[tuple[str, str | bytes]]
+    ) -> tuple[Sequence[tuple[str, str | bytes]] | None, AccountInfo | None]:
+        """Refresh authentication tokens in the provided metadata."""
+        return metadata, NOOP_ACCOUNT_INFO
+
+
+class NoOpControlAuthzPlugin(ControlAuthzPlugin):
+    """No-operation implementation of ControlAuthzPlugin."""
+
+    def __init__(self, account_auth_config_path: Path, verify_tls_cert: bool):
+        pass
+
+    def authorize(self, account_info: AccountInfo) -> bool:
+        """Return True for no-op plugin."""
+        return True

flwr/superlink/federation/__init__.py

@@ -0,0 +1,24 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Federation Managers."""
+
+
+from .federation_manager import FederationManager
+from .noop_federation_manager import NoOpFederationManager
+
+__all__ = [
+    "FederationManager",
+    "NoOpFederationManager",
+]

flwr/superlink/federation/federation_manager.py

@@ -0,0 +1,64 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""Abstract base class FederationManager."""
+
+
+from abc import ABC, abstractmethod
+from typing import TYPE_CHECKING
+
+from flwr.common.typing import Federation
+
+if TYPE_CHECKING:
+    from flwr.server.superlink.linkstate.linkstate import LinkState
+
+
+class FederationManager(ABC):
+    """Abstract base class for FederationManager."""
+
+    @property
+    def linkstate(self) -> "LinkState":
+        """Return the LinkState instance."""
+        if not (ret := getattr(self, "_linkstate", None)):
+            raise RuntimeError("linkstate not set. Assign to linkstate property first.")
+        return ret  # type: ignore
+
+    @linkstate.setter
+    def linkstate(self, linkstate: "LinkState") -> None:
+        """Set the LinkState instance."""
+        self._linkstate = linkstate
+
+    @abstractmethod
+    def exists(self, federation: str) -> bool:
+        """Check if a federation exists."""
+
+    @abstractmethod
+    def has_member(self, flwr_aid: str, federation: str) -> bool:
+        """Check if the given account is a member of the federation."""
+
+    @abstractmethod
+    def filter_nodes(self, node_ids: set[int], federation: str) -> set[int]:
+        """Given a list of node IDs, return sublist with nodes in federation."""
+
+    @abstractmethod
+    def has_node(self, node_id: int, federation: str) -> bool:
+        """Given a node ID, check if it is in the federation."""
+
+    @abstractmethod
+    def get_federations(self, flwr_aid: str) -> list[str]:
+        """Get federations of which the account is a member."""
+
+    @abstractmethod
+    def get_details(self, federation: str) -> Federation:
+        """Get details of the federation."""

flwr/superlink/federation/noop_federation_manager.py

@@ -0,0 +1,71 @@
+# Copyright 2025 Flower Labs GmbH. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ==============================================================================
+"""NoOp implementation of FederationManager."""
+
+
+from flwr.common.constant import NOOP_FLWR_AID
+from flwr.common.typing import Federation
+from flwr.supercore.constant import NOOP_FEDERATION
+
+from .federation_manager import FederationManager
+
+
+class NoOpFederationManager(FederationManager):
+    """No-Op FederationManager implementation."""
+
+    def exists(self, federation: str) -> bool:
+        """Check if a federation exists."""
+        return federation == NOOP_FEDERATION
+
+    def has_member(self, flwr_aid: str, federation: str) -> bool:
+        """Check if the given account is a member of the federation."""
+        if not self.exists(federation):
+            raise ValueError(f"Federation '{federation}' does not exist.")
+        return flwr_aid == NOOP_FLWR_AID
+
+    def filter_nodes(self, node_ids: set[int], federation: str) -> set[int]:
+        """Given a list of node IDs, return sublist with nodes in federation."""
+        if not self.exists(federation):
+            raise ValueError(f"Federation '{federation}' does not exist.")
+        return node_ids
+
+    def has_node(self, node_id: int, federation: str) -> bool:
+        """Given a node ID, check if it is in the federation."""
+        if not self.exists(federation):
+            raise ValueError(f"Federation '{federation}' does not exist.")
+        return True
+
+    def get_federations(self, flwr_aid: str) -> list[str]:
+        """Get federations of which the account is a member."""
+        if flwr_aid != NOOP_FLWR_AID:
+            return []
+        return [NOOP_FEDERATION]
+
+    def get_details(self, federation: str) -> Federation:
+        """Get details of the federation."""
+        if federation != NOOP_FEDERATION:
+            raise ValueError(f"Federation '{federation}' does not exist.")
+
+        run_ids = self.linkstate.get_run_ids(flwr_aid=NOOP_FLWR_AID)
+        nodes = list(self.linkstate.get_node_info(owner_aids=[NOOP_FLWR_AID]))
+        runs = [
+            run for run_id in run_ids if (run := self.linkstate.get_run(run_id=run_id))
+        ]
+        return Federation(
+            name=NOOP_FEDERATION,
+            member_aids=[NOOP_FLWR_AID],
+            nodes=nodes,
+            runs=runs,
+        )

flwr/superlink/servicer/control/{control_user_auth_interceptor.py → control_account_auth_interceptor.py}

@@ -16,7 +16,8 @@
 
 
 import contextvars
-from typing import Any, Callable, Union
+from collections.abc import Callable
+from typing import Any
 
 import grpc
 
@@ -31,34 +32,42 @@ from flwr.proto.control_pb2 import (  # pylint: disable=E0611
     StreamLogsRequest,
     StreamLogsResponse,
 )
-from flwr.superlink.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
+from flwr.superlink.auth_plugin import ControlAuthnPlugin, ControlAuthzPlugin
 
-Request = Union[
-    StartRunRequest,
-    StreamLogsRequest,
-    GetLoginDetailsRequest,
-    GetAuthTokensRequest,
-]
+Request = (
+    StartRunRequest | StreamLogsRequest | GetLoginDetailsRequest | GetAuthTokensRequest
+)
 
-Response = Union[
-    StartRunResponse, StreamLogsResponse, GetLoginDetailsResponse, GetAuthTokensResponse
-]
+Response = (
+    StartRunResponse
+    | StreamLogsResponse
+    | GetLoginDetailsResponse
+    | GetAuthTokensResponse
+)
 
 
-shared_account_info: contextvars.ContextVar[AccountInfo] = contextvars.ContextVar(
-    "account_info", default=AccountInfo(flwr_aid=None, account_name=None)
+shared_account_info: contextvars.ContextVar[AccountInfo | None] = (
+    contextvars.ContextVar("account_info", default=None)
 )
 
 
-class ControlUserAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
-    """Control API interceptor for user authentication."""
+def get_current_account_info() -> AccountInfo:
+    """Get the current account info from context, or return a default if not set."""
+    account_info = shared_account_info.get()
+    if account_info is None:
+        return AccountInfo(flwr_aid=None, account_name=None)
+    return account_info
+
+
+class ControlAccountAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
+    """Control API interceptor for account authentication."""
 
     def __init__(
         self,
-        auth_plugin: ControlAuthPlugin,
+        authn_plugin: ControlAuthnPlugin,
         authz_plugin: ControlAuthzPlugin,
     ):
-        self.auth_plugin = auth_plugin
+        self.authn_plugin = authn_plugin
         self.authz_plugin = authz_plugin
 
     def intercept_service(
@@ -93,48 +102,48 @@ class ControlUserAuthInterceptor(grpc.ServerInterceptor):  # type: ignore
 
             # Intercept GetLoginDetails and GetAuthTokens requests, and return
             # the response without authentication
-            if isinstance(request, (GetLoginDetailsRequest, GetAuthTokensRequest)):
+            if isinstance(request, (GetLoginDetailsRequest | GetAuthTokensRequest)):
                 return call(request, context)  # type: ignore
 
-            # For other requests, check if the user is authenticated
-            valid_tokens, account_info = self.auth_plugin.validate_tokens_in_metadata(
+            # For other requests, check if the account is authenticated
+            valid_tokens, account_info = self.authn_plugin.validate_tokens_in_metadata(
                 metadata
             )
             if valid_tokens:
                 if account_info is None:
                     context.abort(
                         grpc.StatusCode.UNAUTHENTICATED,
-                        "Tokens validated, but user info not found",
+                        "Tokens validated, but account info not found",
                     )
                     raise grpc.RpcError()
-                # Store user info in contextvars for authenticated users
+                # Store account info in contextvars for authenticated accounts
                 shared_account_info.set(account_info)
-                # Check if the user is authorized
-                if not self.authz_plugin.verify_user_authorization(account_info):
+                # Check if the account is authorized
+                if not self.authz_plugin.authorize(account_info):
                     context.abort(
                         grpc.StatusCode.PERMISSION_DENIED,
-                        "❗️ User not authorized. "
+                        "❗️ Account not authorized. "
                         "Please contact the SuperLink administrator.",
                     )
                     raise grpc.RpcError()
                 return call(request, context)  # type: ignore
 
-            # If the user is not authenticated, refresh tokens
-            tokens, account_info = self.auth_plugin.refresh_tokens(metadata)
+            # If the account is not authenticated, refresh tokens
+            tokens, account_info = self.authn_plugin.refresh_tokens(metadata)
             if tokens is not None:
                 if account_info is None:
                     context.abort(
                         grpc.StatusCode.UNAUTHENTICATED,
-                        "Tokens refreshed, but user info not found",
+                        "Tokens refreshed, but account info not found",
                     )
                     raise grpc.RpcError()
-                # Store user info in contextvars for authenticated users
+                # Store account info in contextvars for authenticated accounts
                 shared_account_info.set(account_info)
-                # Check if the user is authorized
-                if not self.authz_plugin.verify_user_authorization(account_info):
+                # Check if the account is authorized
+                if not self.authz_plugin.authorize(account_info):
                     context.abort(
                         grpc.StatusCode.PERMISSION_DENIED,
-                        "❗️ User not authorized. "
+                        "❗️ Account not authorized. "
                         "Please contact the SuperLink administrator.",
                     )
                     raise grpc.RpcError()

flwr/superlink/servicer/control/control_event_log_interceptor.py

@@ -15,8 +15,8 @@
 """Flower Control API event log interceptor."""
 
 
-from collections.abc import Iterator
-from typing import Any, Callable, Union, cast
+from collections.abc import Callable, Iterator
+from typing import Any, cast
 
 import grpc
 from google.protobuf.message import Message as GrpcMessage
@@ -24,7 +24,7 @@ from google.protobuf.message import Message as GrpcMessage
 from flwr.common.event_log_plugin.event_log_plugin import EventLogWriterPlugin
 from flwr.common.typing import LogEntry
 
-from .control_user_auth_interceptor import shared_account_info
+from .control_account_auth_interceptor import get_current_account_info
 
 
 class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
@@ -60,13 +60,13 @@ class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
         def _generic_method_handler(
             request: GrpcMessage,
             context: grpc.ServicerContext,
-        ) -> Union[GrpcMessage, Iterator[GrpcMessage], BaseException]:
+        ) -> GrpcMessage | Iterator[GrpcMessage] | BaseException:
             log_entry: LogEntry
             # Log before call
             log_entry = self.log_plugin.compose_log_before_event(
                 request=request,
                 context=context,
-                account_info=shared_account_info.get(),
+                account_info=get_current_account_info(),
                 method_name=method_name,
             )
             self.log_plugin.write_log(log_entry)
@@ -85,7 +85,7 @@ class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
                     log_entry = self.log_plugin.compose_log_after_event(
                         request=request,
                         context=context,
-                        account_info=shared_account_info.get(),
+                        account_info=get_current_account_info(),
                         method_name=method_name,
                         response=unary_response or error,
                     )
@@ -115,7 +115,7 @@ class ControlEventLogInterceptor(grpc.ServerInterceptor):  # type: ignore
                         log_entry = self.log_plugin.compose_log_after_event(
                             request=request,
                             context=context,
-                            account_info=shared_account_info.get(),
+                            account_info=get_current_account_info(),
                             method_name=method_name,
                             response=stream_response or error,
                         )

flwr/superlink/servicer/control/control_grpc.py

@@ -16,7 +16,6 @@
 
 
 from logging import INFO
-from typing import Optional
 
 import grpc
 
@@ -31,18 +30,22 @@ from flwr.supercore.ffs import FfsFactory
 from flwr.supercore.license_plugin import LicensePlugin
 from flwr.supercore.object_store import ObjectStoreFactory
 from flwr.superlink.artifact_provider import ArtifactProvider
-from flwr.superlink.auth_plugin import ControlAuthPlugin, ControlAuthzPlugin
+from flwr.superlink.auth_plugin import (
+    ControlAuthnPlugin,
+    ControlAuthzPlugin,
+    NoOpControlAuthnPlugin,
+)
 
+from .control_account_auth_interceptor import ControlAccountAuthInterceptor
 from .control_event_log_interceptor import ControlEventLogInterceptor
 from .control_license_interceptor import ControlLicenseInterceptor
 from .control_servicer import ControlServicer
-from .control_user_auth_interceptor import ControlUserAuthInterceptor
 
 try:
     from flwr.ee import get_license_plugin
 except ImportError:
 
-    def get_license_plugin() -> Optional[LicensePlugin]:
+    def get_license_plugin() -> LicensePlugin | None:
         """Return the license plugin."""
 
 
@@ -52,15 +55,16 @@ def run_control_api_grpc(
     state_factory: LinkStateFactory,
     ffs_factory: FfsFactory,
     objectstore_factory: ObjectStoreFactory,
-    certificates: Optional[tuple[bytes, bytes, bytes]],
+    certificates: tuple[bytes, bytes, bytes] | None,
     is_simulation: bool,
-    auth_plugin: Optional[ControlAuthPlugin] = None,
-    authz_plugin: Optional[ControlAuthzPlugin] = None,
-    event_log_plugin: Optional[EventLogWriterPlugin] = None,
-    artifact_provider: Optional[ArtifactProvider] = None,
+    authn_plugin: ControlAuthnPlugin,
+    authz_plugin: ControlAuthzPlugin,
+    event_log_plugin: EventLogWriterPlugin | None = None,
+    artifact_provider: ArtifactProvider | None = None,
+    fleet_api_type: str | None = None,
 ) -> grpc.Server:
     """Run Control API (gRPC, request-response)."""
-    license_plugin: Optional[LicensePlugin] = get_license_plugin()
+    license_plugin: LicensePlugin | None = get_license_plugin()
     if license_plugin and not license_plugin.check_license():
         flwr_exit(ExitCode.SUPERLINK_LICENSE_INVALID)
 
@@ -69,15 +73,14 @@ def run_control_api_grpc(
         ffs_factory=ffs_factory,
         objectstore_factory=objectstore_factory,
         is_simulation=is_simulation,
-        auth_plugin=auth_plugin,
+        authn_plugin=authn_plugin,
         artifact_provider=artifact_provider,
+        fleet_api_type=fleet_api_type,
     )
-    interceptors: list[grpc.ServerInterceptor] = []
+    interceptors = [ControlAccountAuthInterceptor(authn_plugin, authz_plugin)]
     if license_plugin is not None:
         interceptors.append(ControlLicenseInterceptor(license_plugin))
-    if auth_plugin is not None and authz_plugin is not None:
-        interceptors.append(ControlUserAuthInterceptor(auth_plugin, authz_plugin))
-    # Event log interceptor must be added after user auth interceptor
+    # Event log interceptor must be added after account auth interceptor
     if event_log_plugin is not None:
         interceptors.append(ControlEventLogInterceptor(event_log_plugin))
         log(INFO, "Flower event logging enabled")
@@ -90,12 +93,12 @@ def run_control_api_grpc(
         interceptors=interceptors or None,
     )
 
-    if auth_plugin is None:
+    if isinstance(authn_plugin, NoOpControlAuthnPlugin):
         log(INFO, "Flower Deployment Runtime: Starting Control API on %s", address)
     else:
         log(
             INFO,
-            "Flower Deployment Runtime: Starting Control API with user "
+            "Flower Deployment Runtime: Starting Control API with account "
             "authentication on %s",
             address,
         )

flwr/superlink/servicer/control/control_license_interceptor.py

@@ -15,8 +15,8 @@
 """Flower Control API license interceptor."""
 
 
-from collections.abc import Iterator
-from typing import Any, Callable, Union
+from collections.abc import Callable, Iterator
+from typing import Any
 
 import grpc
 from google.protobuf.message import Message as GrpcMessage
@@ -57,7 +57,7 @@ class ControlLicenseInterceptor(grpc.ServerInterceptor):  # type: ignore
         def _generic_method_handler(
             request: GrpcMessage,
             context: grpc.ServicerContext,
-        ) -> Union[GrpcMessage, Iterator[GrpcMessage]]:
+        ) -> GrpcMessage | Iterator[GrpcMessage]:
             """Handle the method call with license checking."""
             call = method_handler.unary_unary or method_handler.unary_stream